Slashdot Mirror
Ask Slashdot: How Serious Is Hacking In Mobile Games?
Origen writes: As a developer contemplating trying out the mobile game scene, a GDC session about hacking/tampering looked interesting — but I wasn't able to attend. The presentation isn't available online, but it was paired with a whitepaper [contact details required], which can be downloaded. I'm surprised by some of the information presented and the potential for damage/mischief. Not so much that these issues are unheard of — they've existed for years on other platforms. What I find surprising is the lack of support at the OS level on mobile devices to defend from many of these types of hacks. Have we learned nothing from the pains of the past? How significant are the points about hacking/piracy in the mobile space that are discussed by this whitepaper?
I don't know about mobile games but I remember Super Meat Boy made an actual connection to the high scores database from the game client, this was very quickly abused for 0.00 times.
The things people do to cut corners sometimes is amazing.
OS level protection wouldn't do much if someone's really dedicated, they'll just remove those protections if needed. Assume everything coming through an internet connection is compromised, don't trust your game client.
But are you going to give up on the CONVENIENCE?
Never trust any input. Validate, validate, validate!
People already think Apple's walled garden and sandboxing go overboard. Remember that legit developers have to pay Apple $99/year just to develop+run an app on their own device. Apple also has a long list of requirements about what your app not allowed to do. I'd really hate to see what they do if they got *serious* about locking down the platform.
Blocking any form of "hacking" will also hurt legitimate users. For example, being able to install an APK manually, not every devices come with the Google Play store and quite frankly the Amazon appstore is extremely lacking compared to the Play store. So being able to install apk is a life saver.
Removing similar features will just hurt the userbase even more.
This is why Windows became so popular, and now Android. Or whatever gaming console has the most piracy atm.
On the contrary, mobile devices and hardware are awash in security features. Hardware based chain-of-trust, encrypted storage, signed applications, detailed permissions... these are all lessons learned from their big brother operating systems. Modern mobile OSes are actually far more difficult to maliciously subvert than PC systems, but of course, many of those features mean they're also closed systems, and aren't nearly as flexible. It's definitely a trade off. We see that pretty clearly with Android vs iOS, where iOS has a miniscule amount of malware simply by virtue of being a closed system.
In terms of game development, I think the focus is more on hacking the client than hacking the OS. As a former MMO dev, the rule was that you really can't trust *anything* the client gives you. Simple as that. It makes development a hell of a lot harder, but time and time again we see new MMOs or multiplayer games (presumably created by inexperienced developers) that break this cardinal rule and get hacked all to hell and back.
Irony: Agile development has too much intertia to be abandoned now.
Complex topic, I would "no" at least in the scope "should you as a developer take significant steps to prevent hacking"
Consider following: ;)
1) The whitepaper is from a company selling services for this, they want to paint a grim picture
2) Like PC with piracy, Android/jailbroken iOS piracy is likely something you can't solve, but it will take a lot of time & money to fight
3) People downloading pirated games are pretty much lost audience, they were not planning to buy upfront anyhow
4) Anti-piracy measures can piss off your real customers. This is much bigger risk in mobile where it's really easy to just move along
5) If you can detect pirated users, feel free to "up the ante" in ads to full page interstitials, etc.
So, worry about making a good game, follow best practices about validating IAP results, but let Apple & Google worry about securing APIs
We don't need "OS level protections". It's your phone, you control all the code on it. Same as on your PC. Are you really fucking bitching that phones don't have enough fucking DRM? I'm sure glad to give up all my freedoms so some teenager can't cheat in clash of fucking clans.
Didn't read the article.
I use a free and very useful and free program called "x-plore", I download an .APK, point x-plore to it and it's installed. Painless. X-plore has two abilities related to an .APK file open it as a zip file or install it.
Most of the advises given (if not all) are ineffective and in some cases make things worse.
Code and data obfuscation only provides false sense of security (and a large paycheck for your "security" vendor) - If i have access to binaries, have root OS access and skills to de-compile the app, obfuscation/encryption (with local key) is only a small nuisance (compared to skill required for decompilation/repackaging/on-the-fly modification)
Moving data to server-side provides a simpler attack-vector - i can MTM the (hopefully) secure connection and alter data sent to app - i don't even have to decompile the app to hack it
On-the-fly binary validation does not work (again, if i have OS level access) - i can disable/fake it.
The numbers in the paper are classic marketing bull - when are you more likely to buy an 99$ in-app purchase?
- if you can do it for free (Apple MTM bug)
- if you actually have to pay for it
TLDR:
You can't protect against hacking/repackaging if the hacker has access to binaries and root.
You can't protect against data modification if the hacker can install hes own CA on the device.
Just don't call your game "the gibson". That is all.
Piracy in China is rampant, one of the worst in the world but the development scene for Chinese mobile game is booming
Game developers, in fact, all app developers can learn how the Chinese app developers are doing ---
1. They expect their app to be pirated
Not only they expect it, they hope people would pirate their app the more the better
2. Chinese app / mobile game developers do not make game to sell
All their games / app are free. Free to download, free to copy, free to pirate, and they do not place limit on their games / app - whatever game downloaded is the *FULL* version, no crippleware
Instead, the Chiense app / game developers earn money from in-game purchases, and they are raking boatloads of $$$ from it
My name is Bunzi Hatata and I'm a Nigerian Prince who needs your help bringing jailbreaks to African phones.
Please yadayadayada.
Calm down. OP is obviously trolling.
Hint: When a low 6-digit UID (243066) makes its first-ever post at least 10+ years after the account was created, you know to suspect foul play. Suspicions are confirmed when the post hits all the /. buttons about privacy and security with blatant disregard for logic.
Great find !! THANK YOU !!!
As a frequent submitter I am way beyond surprised that the 'Origen' account's first submission (in fact, first of anything in /. after registration more than 10 years ago) was accepted !
Something really fishy is going on
TFA most likely is a click bait --- and the "Origen" most likely is one of the many 'reserved' accounts in which only the admins (or the moderator) could use
Thanks again !!
People really don't realize how much code is use to produce a product, how much code is used to admin the code, how much code is use to admin people, is such amount of code that there is no financial, human and technical resources to any software company deal with all kinds of threats that user might be exposed with "a simple piece of software". Now Im getting used to say that apocalipse will happen cause U.S. president won't be able to login nuke system cause its far beyond a single human can do, its just a metaphora, but I think you get the point. Now imagine in a hundred of years, there will be such amount of code that not even a bot smarter than a human will handle that.
Ever hear of Candy Crush Saga?
Ever hear of CandySwipe? That's the game that came out 2 years BEFORE Candy Crush Saga (http://www.snopes.com/politics/business/candycrush.asp).
Of course, it continues to boil down to being clones / copies of earlier games (Bejewelled for example).
Artwork, design, music, sounds, ideas, most (if not all) are being stolen like crazy in the mobile market. If you don't have a thick skin, don't get into it. Chances are, you spend months, if not years, crafting a beautiful game and release it at $0.99 in the store to only find a cheap copy of it in less than a week on the F2P model from some backwoods out of country developer.
Are you planning on using a service like FGL.com to find sponsors? They offer help and a better community on how to protect your game.
This is always been the solution, even after such massive failures as the Valve Anti-Cheat System on PCs. Have the game analyze the size, name, and even hash of all its files when it opens. If they're different than a preapproved list that's loaded into memory for milliseconds after being unencrypted with an enormous hard-wired password, refuse to open the game. That's moderately secure, assuming they can't get to the hard wired password.
It's not that serious.
Your game will be compromised, it's up to you how you control how that affects other people.
Have the client record input log during gameplay and submit it to the server once the game completes, then replay it on the server when verifying a submitted score. If you really want to block an offline tool-assisted speedrun, require the client to submit a piece of the input log every five seconds or so.
If it's single player, don't bother.
On some popular video game platforms, no major single-player game is truly single-player. For a decade, it has become a race among friends to get the achievements first.
"Have we learned nothing from the pains of the past?"
have you learned nothing about handheld battery life?
Reading the whitepaper, the whole thing seems like it's focused on promoting Arxan's services. It's entirely possible that the presentation itself took a different tone/direction, but the whitepaper itself was fairly contentless sprinkled with a few good points about older MITM attacks exploiting the In-App purchases for iOS and the high piracy rates on Android in China and Russia.
Really that last part is the thrust of the article -- high piracy rates for which they don't really offer any solution except DRM and always-online games. (To their credit, they do make the recommendation of "some sort of protection on the networking layer, in-memory layer, and on disk layer...as well as portions dealing with receiving and unpacking the player's saved game or state.")
Everything else was either misleading, fairly obvious non-suggestions, or just plain outdated information.
Examples:
- Whitepaper dedicates a section to lost revenue from a MITM attack allowing iOS users to get in-app purchases for free. The reference they use is a 2012 article from the Guardian talking about how Apple already fixed it. Specifically, this was relating to iOS 5 and has since been resolved. While Jailbreak options still exist, the whitepaper does not mention these nor does it discuss any other actual leak.Referenced Article
- Whitepaper has section on Flappybird clones which reads:
...However, by March 2014, approximately 60 Flappy Bird clones a day were being added to the iOS App Store...Worst of all -- a reported 79% of these clones contained malware.
This section has a reference that points to a McAfee threat report from June 2014 - as the section reads, "these" refers to the clones on the iOS App Store, however, the McAfee report clearly shows that this is Android stores that are plagued, not iOS. http://www.mcafee.com/us/resou... Page 6
- Whitepaper has a section on how hackers damage communities, which is not incorrect, however, they provide the following "helpful" tips:
While these are not bad suggestions, they're also absolutely common sense for mobile game developers, or just people dealing with problems in general.
The submitter is absolutely right that this could have been a really keen presentation, but based on what they produced in the whitepaper, it sounds like a business trying to drum up some more business for themselves with misleading and/or useless information.
"As a developer contemplating trying out the mobile game scene, a GDC session about hacking/tampering looked interesting .. Have we learned nothing from the pains of the past?"
...
I would ask anyone in developing connected devices. What happened the last time you tried to hack your own device? And if the answer is you haven't even tried then most definitely you've learned nothing about security. If the underlying OS can't prevent hackers walking all over your memory then it's GAME OVER
In Simpsons tapped out, a typical time-waster of a moblie game, free with premium content, players found an exploitable bug allowing them what is basically infinite money. IIRC they handled it this way :
- they fixed the bug
- they referred to the hack an in-game event (the moral being of course : you won't get any fun by hacking)
- they gave a special item to everyone that didn't use the exploit
- they didn't penalize those who did (except by not giving them the special item)
I found it was a wonderful way to handle the situation : they didn't punish the hackers, they simply told that the non-hackers were way cooler.
Your game will be hacked and pirated, even if it is free. The more successful your game, the quicker the hacks will appear and the more sophisticated they will be.
Currently, the only effective counter measures are through social networking effects e.g. League Of Legends, Twitter, Facebook.
Expect it, plan for it, then repeat after me:
"The only thing worse than a potential customer pirating your software is a potential customer pirating your competitor's software."
you haven't learned from history, either.
Some people have, yes. Most people have not, however.
The problem is that nothing is actually secure-by-default - it has to be designed with security in mind from the very start. Every OS has lots of supporting technologies available to assist in building a secure system but unless the designers and developers actually use those tools then the end-result will be a festering pile of insecure crap. And some software authors intentionally bypass security because "it's easier" or "it gets in the way."
Example: without any knowledge or input from the development or security staff at a company I've worked for a particular "operations" person started writing desktop utilities for staff use so that they could bypass the main software of the company to do things "more efficiently." Problem is that these utilities used direct connections to the backing database bypassing the public API completely ... and stored the plaintext "sa" password in their .config files to do so. How fucking brain dead is that?
For an indie developer, the real problem is that almost nobody can get a significant number of players in such an over-crowded, competitive marketplace unless they have a hugely popular brand (famous movie, famous developer, famous game company, something), or millions of dollars in marketing money.
Given that your indie title with no marketing "oomph" behind it is 99.999% likely to not get a large number of players or make significant money, fixing any potential security problems in it is almost always going to be a waste of your time. Unless you're just doing this hobby to learn game security programming. If you're doing this hobby to learn fun gameplay programming, physics engines, client server coding, etc. don't worry about the security piece too much. (If you want to learn EVERY detail of game programming from your hobby, sure, learn security too.)
It's not like 1000 people are modding the files in 1000 ways.
Yet.
Virus authors figured out polymorphic code long ago. Now imagine one jackass making a program that shuffles the order of blocks of code in the hack so that you have 1000 files all different but with identical behavior. Thus blacklisting fails for wallhack and aimbot detection the same way it has been shown to fail for virus detection.